1. Go to Authentication > MFA Settings.
  2. For MFA status for new users, specify whether MFA should be enabled by default for a user when their account is created.
  3. For Maximum allowed methods, select the maximum number of authentication methods that users can set up for their accounts. The default is 5. Users can have multiple authentication methods using the same device. For example, an end user could have SMS, voice, biometrics, and an authenticator app all on a single mobile device.
    Note: If you reduce the maximum value, existing methods are not affected. For example, if a user has 4 authentication methods set up, but you reduce the maximum number to 3, the user will not have to remove an existing authentication method.
  4. If some of your users will be pairing devices that have phone numbers with extensions, set the Phone numbers with extensions option to Enabled.
  5. For Account lockout, enter or edit the following:
    • Account lockout. The maximum number of incorrect MFA authorization actions a user can attempt (such as entering an incorrect OTP or declining a push confirmation on a mobile device) before the account is locked.
      Note: This value includes MFA authentication attempts across all configured devices.
    • Account lockout duration. The amount of time (in seconds) to keep the account locked after the failure count is exceeded. The account will automatically unlock after the specified time passes.
  6. Select the type of key to use for pairing of devices: 12-digit numeric key or 16-character alphanumeric key.
  7. Click Save.
You can unlock or disable a user account on the user details page. See Enabling or unlocking a user account or device.